09-29-2020 03:22 AM
Hello ;
For one our Customer running PA 3200 Series in HA having GP License ( HIP checks)
Currently the GP Portal and Gateway have common Interface . The GP URL is vpn.connection.it ( sample name)
The requirement is that
Internal Users use the URL : internal.vpn.connection.it
External Users(Partners) use the URL : external.vpn.connection.it
The Users are part of different user groups .
So can we achive this using the same ( Single Public ) IP address or do we need two Public IP address
We can to use different HIP profiles for Internal and External users .
Do we need to create two different tunnel interface or loopbacks ? or two different gateways ?
09-30-2020 12:24 PM
Hey @FWPalolearner ,
I understand that you use loopback for GP portal and gateway and use NAT to translate the public to the loopback. I still don't understand why you do this way instead of use the eth1/1 in the GP portal and gateway on first place.
But let discuss the other point - "But I can still create a gateway with same loopback" even if you somehow manage to use same interface/ip on multiple gateway you should receive error during commit. Think about it - all comes done to sockets, creating GP gateway will create TCP socket which FW will listen for connections. Sockets consists of ip and port and you can have different services/application on different combination of ip and port. If you create second GP gateway you need to create second socket and since you cannot use different port (always using the standard port for SSL or IPSec) the only part you can change is the ip. Assigning same int and ip to both GP gateways will try to create two exactly the same sockets which will generate commit error.
And the same concept for the sockets apply for your NAT rules. I assume that you have NAT rule says "any public source to dest x.x.x, nat to any public source to dest 192.168.1.75". If you create second NAT rule similar to above, but with dest 192.168.1.76, the second nat will never hit (because the first math will be applied). Again you can play with ports as GP doesn't allow you change default ports, so the only way for the fw to apply the different nat rules is to use source ip address as matching criteria, but this defied the purpose of remote access vpn, because you will need to know from which public ip will the users connect.
09-29-2020 03:53 AM
Hi,
you can achive this with configuring an Internal Gateway and an external Gateway and one or two portal, the Internal Gateway is an interface on your internal Network, External Gateway accessed from Outside normally out from internet (Public-IP) - Tunnel interface required here.
for more information check these out
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClH1CAK
09-29-2020 05:17 AM
Thanks for your reply
We are already have an Internal gateway which is being used currently only by Internal users when they are in Corporate network
The goal is this exercise is when Users connect to the GP outside of the company network ( internet or at home)
All the Corporate Users should use the URL internal.vpn.X . Different HIP profile , different IP Pool . different zone and different rules
All the Non Corporae users should use the URL external.vpn.X . Different HIP profile , different IP Pool . different zone and different rules
So my Query is whether we need two Tunnel Interfaces( One for each external Gateway) and two Loop backs ( one for each Portal )
So do i have to create two external gateways using two different loopbacks
and in the Portal settings define difference Address( FQDN) ?
Also , do i need two Public IPs ? or 1 can solve the purpose
09-29-2020 06:19 AM
then what you need is 2 external gateways, two tunnels, two public Ips.
another soultion would be same gateway, seperation based on users , and you can also define different IP pool for these non-corporate users and the networks that should they access with split-tunneling and add/edit your security policies as needed .
09-29-2020 06:53 AM
Hi @FWPalolearner ,
I suggestion is to always avoid multiple ip address on same interface like you would avoid a plague/covid. I cannot claim I have deploy lots of GPs, but I haven't yet saw a real need to configure multiple portals on single device, so I will try to avoid such setup as well.
As @Abdul-Fattah mentioned you can provide single portal and once the user authenticate you can have group/user base separation (have different ip pool, dns, access etc for each user group). This would be the easiest way to have complete separation between internal users and contractors/3rd-party. The problem with this approach is that both type of users will need to use same authentication type. You can use different domain for user authentication, but the the type (LDAP, RADIUS, etc) must be the same for both (if you use mfa over radius you can be creative, but it is up to the mfa and not the fw). And as you can imagine both type of users will use the same vpn address.
If you really want internal users to use one address and contractors/external user to use completely different address - the only way to achieve this is to have second portal/gateway. As mentioned I would avoid secondary IP, instead I would recommend to use loopback (configure loopback with public ip, put it in untrust/outsie zone and use it for the gp portal and gw).
The only benefit I can think of is that you can apply different authentication type for each user group, so it is interesting for me to understand the reason why you need separate addresses
09-29-2020 07:07 AM
Hi @aleksandar.astardzhiev @Abdul-Fattah
Thanks for your inputs ; really appreciate
The Customer requirement is to use two different URLs . I understand that we use different user groups but user groups are already in place
thre requirement is to have different URL and Different Portal
So what i understood , we need below on PA cluster - can you please confirm :
1) two GP Gateways with two Loopbacks ? two GP portals - where in - for one we define the URL for external and for other the internal one
2) two tunnel interfaces , two loopbacks - with different IPs
3) two zones - one for Internal and one for external ?
I still have doubt, why cant we use the same Public IP as we can make both DNS entries to resolve to same IP
09-29-2020 08:01 AM
two domains resolving to same IP, for palo alto you are using only one IP. the Firewall does not care about Public-domains. as i mentioned earlier :
"another soultion would be same gateway, seperation based on users , and you can also define different IP pool for these non-corporate users and the networks that should they access with split-tunneling and add/edit your security policies as needed ."
and for portal you change nothing.
Good Luck.
09-29-2020 08:10 AM
Hey @FWPalolearner ,
You can setup both DNS records to resolve to same IP, but:
- First you need to apply wildcard certificate on the portal or use certificate with SAN (subject alternative names)
- Even the users are pointed to different addresses they are still ended on the exact same portal, so they will be prompted with exact same authentication. This really annoys me with GP portal, there is no way to use multiple authentication realms and provide a way for the user to select/navigate to required auth realm.
So as long as you will use the same authentication type (LDAP, radius, etc) for all users (external and internal) you should be fine using two DNS records pointing to the same ip and having one portal. The important think here is the SSL certificate that will be used for the portal - either it must be wildcard (to match both urls) or it must list both in SAN (subject alternative names).
Your really don't need two gateways. You can use same gateways for both external and internal users, and using user group to apply different settings. The problem is again with the address, however during GP portal config you can specify different gateway addresses for each user group. So you can actually the exact same DNS records that you are using for the portal. And for the GP gateway you need to use the same SSL certificate (either wildcard or with SAN)
09-29-2020 08:23 AM
you can leverage "authentication-sequence" and select multiple authentication types/profiles (LDAP,Radius,Local..) and use it for Portals and Gatways.
09-29-2020 12:30 PM
Hi @aleksandar.astardzhiev @Abdul-Fattah
Can't thank you enough for your support and inputs.
I will share my change plan with you to have a final look in it please. I will share it quickly
09-30-2020 05:25 AM
@aleksandar.astardzhiev @Abdul-Fattah
Below is what i am planning can you and provide your input
************************************
What we have now
the VPN URL we are using now is vpn.connect.it which resolves to the IP of Public Interface of the firewall
FW Public Interface : x.x.x.x
FW public zone : INTERNET
Loopback Interface : loopback.1 with an IP 192.168.75.1 bind to a zone called GP
Tunnel interface : tunnel.1 Bind to zone GP
Portal Config :
We have the Authentication sequence and a Wildcard in the SSL Service Profile for *.connect.it
We are using loopback.1 as the Interface . We are having the User groups defined in the Agent config
In the Agent config in the External Section , we have defined Host name vpn.connect.it
Gateway Config :
We are using the same loopback.1
same wildcard
In the agent we are using tunnel.1
and we have a Pool allocated for all the users defined in the user group
----------------------------------------------------------------------------------------
Now as we want separate Portal for Corp users and Partners , here is my plan
Create another DNS entrie for
partner.external.it
The Corp users will continue to use vpn.connect.it
both will resolve to x.x.x.x
Create a new Loopback loopback.2 with an IP 192.168.76.1 and bind to zone GP-EXT
Create a new Tunnel interface tunnel.2 and bind to zone GP-EXT
Portal Config :
Create a new Portal with loopback.2 and same auth sequence ;same wildcard
in the agent config in external section , define partner.external.it and in user groups only external AD users
Gateway Config
Use Loopback.2
same wildcard
In the agent , define tunnel.2 and separate pool for external users
Configure the required Firewall rules for new zone GP-EXT
The Point here is
currently
x.x.x.x is natted to 192.168.75.1
So how to NAT it to 192.168.76.1 for external users ??
Do i have to use another Public IP then
09-30-2020 11:20 AM
Hey @FWPalolearner ,
From your explanation I don't believe you will need the second portal/gateway/loopback/tunnel.
1. Create new DNS record for external.connect.it to FW public x.x.x.x
2. Under the current portal create two "agent" configs based on user group, one for internal and one for partner users.
3. In first config set for external gateway "internal.connect.it", and for second agent config set "external.connect.it"
4. Under the current gateway create two client settings based on the two user groups (gateway -> agent -> client settings).
5. Under each client settings configure IP pool. Important note here is that you must not use Client IP Pool (gateway ->agent -> client ip pool). On this tab you define one single IP pool for all connected users, no matter which user group they are. To be able to configure different ip pool for each user group you must remove any config from client ip pool tab and put it under the client settings
And that should be enough. If you think for a moment only difference between the two "portals" is the FQDN that users are using, which really doesn't matter as long as you have a valid certificate to cover both addresses. Everything else should be standard user group based separation which you can accomplish with single portal and gateway.
09-30-2020 11:27 AM
@aleksandar.astardzhiev Thanks a lot . This is now very much easy and you made it very clear
I just have last doubt still .
Can i create a second tunnel interface and bind it to a new zone
This way i will create two GP gateways with two different tunnel interfaces - one for Corp and other for External
The only point is this will provide more security because we will have different Zones and can use them specifically
Kindly let me know your feedback on this
Again Many many Thanks . you are a saviour 🙂
09-30-2020 11:45 AM
Hey @FWPalolearner ,
If you want to have separate gateway you definitely must use different IP, because you cannot have more than one GP gateway (or portal) on same interface.
But I would suggest to think for a moment if you really gain any benefit separating users into zones:
1. You already separate users based on user groups and assign different IP pools. Even that both type of users (internal and partners) are coming from same zone you still can use source user group and source ip to granular control over the user access.
2. If you worry about restricting access between VPN users (partner user connected to vpn to reach internal vpn user), I am not 100% sure at the top of my head, but I believe you can simply configure explicit intrazone rule to control the traffic between users.
Again even that all users are associated with same zone you still have other methods to differentiate between them.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
